CVE-2018-6341

MEDIUM

React 16.0.0-16.4.2 - Cross-Site Scripting via Unescaped Attribute Names

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-6341. PoCs published by diwangs.

AI-analyzed exploit summary This PoC demonstrates an XSS vulnerability in React 16 server-side rendering by injecting malicious script tags into user-provided data that is rendered without proper sanitization. The exploit leverages React's component rendering to execute arbitrary JavaScript in the browser context.

Description

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

Exploits (1)

nomisec WORKING POC
by diwangs · poc
https://github.com/diwangs/react16-ssr

This PoC demonstrates an XSS vulnerability in React 16 server-side rendering by injecting malicious script tags into user-provided data that is rendered without proper sanitization. The exploit leverages React's component rendering to execute arbitrary JavaScript in the browser context.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: React 16 (server-side rendering)
No auth needed
Prerequisites: Node.js environment · React 16 with server-side rendering enabled
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References

Scores

CVSS v3 6.1
EPSS 0.1007
EPSS Percentile 93.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
facebook/react 16.0.0 - 16.0.1
npm/react-dom 16.0.0 - 16.0.1npm
Published Dec 31, 2018
Tracked Since Feb 18, 2026